Agents interested in malicious behaviors include all entities that may engage in such behaviors and/or profit from it. These agents are grouped into three categories according to the amount of resources they may have to cause harm to the vehicular network:
The first category of attackers are solitary attackers who mainly operate on their own. They have limited monetary resources and use the Internet as their main source of information. Examples of attackers in this category include: Unscrupulous or opportunistic individuals; Computer hackers; Automotive, electronic, or computer hobbyists; and Very loosely organized groups.
The second category of attackers are typically one or more groups of individuals who are moderately coordinated, communicate on a regular basis, have moderate resources, can obtain information not publicly known or available. Examples of attackers in this category include: Corrupt Insiders and Unscrupulous Businesses.
The third category of attackers are highly organized, have access to expansive resources, can infiltrate organizations and obtain closely held secrets, may consider life and individuals expendable to achieve their goals, and may be supported by governing bodies of foreign nations. Examples of attackers in this category include: Organized Crime and Foreign nations.
Some of the potential motivations that may drive agents to exhibit malicious behaviors within a vehicular network, in an order of increasing impact, are: Sadistic pleasure in harming other vehicles or the entire vehicular network; Preferential treatment from the vehicular network for the purposes of evading law enforcement, assisting in criminal operations, or diverting attention from a primary attack; Prestige in a successful hack or a new virus launch; Manipulate traffic authority decisions; Acquiring personal advantages in driving conditions or economic gain; e.g., committing insurance fraud or car theft; Promote national, political, and special interests; and Civil, political and economic disruption, including warfare.
Security attacks and malicious behaviors based on communications activities in a vehicle-to vehicle (V2V) communications environment can be categorized as follows:
1) Attackers could modify the communication content coming from their vehicles' software or hardware, including: inaccurate traffic conditions, including false warnings related to forward collisions, blind spot situations, lane changes, unsafe passing; and inaccurate driving conditions or patterns, such as false statements about speeds, braking, directions, positions, and intersection movement.
2) Attackers could modify the communication functionalities of their vehicles' software or hardware to carry out attacks, such as one of the attacks above and the following: modifying transmission timing intervals of messages; delaying the delivery of messages; sending more messages than the vehicle is designed to; not sending messages for a long enough time interval; and disabling the functioning of a vehicle's software, say, because of privacy concerns. Attackers could attempt to impersonate vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations. Attackers could act as intruders and attempt to use data stored on vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations.
In order to ensure safe and secure operation of a vehicle communications system, malicious use of the certificates to cause harm to the vehicles networks and applications need to be detected so that these certificates can be revoked. Malicious vehicles used to cause significant harm to the vehicle networks and applications need to be detected and “evicted” from the vehicle communications network. If vehicles have frequent infrastructure network connectivity, they can rely on trusted servers in the infrastructure network to detect and respond to security threats. These infrastructure servers could collect information from a large number of vehicles and have sufficient processing capabilities to analyze the data to detect malicious activities. However, when vehicles have sporadic or zero infrastructure connectivity along the roads, attackers could perform attacks without being monitored by any highly trusted entities such as infrastructure servers. Vehicles can no longer rely on any infrastructure-based servers to help detect malicious activities. As a result, attacks will have much higher chances to be successful, and attackers would have a much higher chance of being undetected. Vehicles would have to rely on themselves and interactions with other potentially untrusted vehicles to detect malicious activities and mitigate their impacts.
In V2V communications, particularly with no infrastructure network support, it is essential for the vehicles to be able to rely on themselves and distributed techniques to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (or eliminating) suspected malicious vehicle from the system (i.e., to ignore the messages sent from the suspected malicious vehicle). Such a capability allows the vehicles to communicate securely without being excessively impacted by malicious activities without relying on infrastructure network connectivity.
Several approaches exist in the prior art in which vehicles decide locally whether or not to evict a suspected malicious vehicle from the system. Two methods have recently been considered for V2V vehicular communications networks are: voting mechanisms, and ‘Sacrifice’ by individual vehicles, in which a suspected device is evicted together with its ‘accuser’. (This is also sometimes termed “suicide for the common good’).
In a voting mechanism, such as LEAVE described by T. Moore et al. “Fast exclusion of errant devices from vehicular networks”, Proceedings IEEE SECON, San Francisco, Calif., Jun. 16-20, 2008, vehicles vote by exchanging signed claims of impropriety of another vehicle. Each vehicle then adds these warning messages to its ‘accusation list’. Once the warning votes against a vehicle exceed a threshold, the accused vehicle is placed on a ‘blacklist’, similar to a local or temporary certificate revocation list (CRL). For nodes which are placed on the blacklist, additional ‘disregard this vehicle’ messages will be broadcast to other vehicles. Typically, the majority vote principle is used to decide when to deem another vehicle untrustworthy and to send a warning message about this untrusted vehicle.
A majority vote detection mechanism relies on an ‘honest majority’: every node must have more good neighbors than bad. Therefore, local communication graph structure can have a significant effect on the dynamics of the voter model, see, e.g., V. Sood, T. Antal, S. Redner, “Voter models on heterogeneous networks”, Phys. Rev. E, April 2008. Bad nodes can eliminate good nodes if they form a local majority. Good nodes can eliminate bad nodes if they have a local majority. Specifically, they can send sufficiently many ‘warning’ and/or ‘disregard’ messages in LEAVE, for example.
For V2V communications, consider the following threat model: attackers can disseminate false messages and abuse the elimination mechanism. Furthermore, multiple attackers can collude.
In a ‘sacrifice’ based model, any vehicle can evict any other vehicle by simultaneously agreeing to limit its own participation in future V2V communications hence giving his decision more credibility. Therefore, in this scheme it is easier to evict a node than in a vote-based mechanism where a majority votes from multiple vehicles are used to decide whether to evict a vehicle. However, abuse of this mechanism is made more costly by forcing simultaneous removal of the accuser: ‘Disregard’ messages by an accuser cause simultaneous disregard of both the suspected node and its accuser.
The prior art fails to address how to determine how many malicious vehicles can the vehicle network tolerate before the innocent vehicles loss their ability to detect and evict malicious vehicles. The present invention has a provable bound on the number of malicious vehicles the system can tolerate before the system loses its ability to detect and evict malicious vehicles. This is important for determining how long the malicious detection and eviction method can continue to run before it has to rely on other means, such as communications with infrastructure-based intrusion detection systems, to eliminate the malicious vehicles.